#copy or link this file to ~/.visidatarc

from datetime import datetime
import functools

#sym-ts = hexNcoded NT-Timestamp = Nanoseconds since 01.01.1601
def sym_time(val):
    a=int(val,16) #decode hex
    b=(a / 10000000) - 11644473600 #convert to seconds and subtract offset to 01.01.1970
    return datetime.fromtimestamp(b)

@functools.lru_cache()
def vendor(mac):
    try:
      from mac_vendor_lookup import MacLookup as mlu
      return mlu().lookup(mac)
    except InvalidMacError:
        return "not a MAC"
    except ModuleNotFoundError:
        return "module not available"

@functools.lru_cache()
def dns_lookup(domain,record='A'):
    if len(domain.split(","))>1:
      return ",".join([dns_lookup(x,record) for x in domain.split(",")])
    try:
      import dns
      import dns.resolver as rs
      result= rs.query(domain,record)
      return ",".join([x.to_text() for x in result])
    except dns.resolver.NoAnswer as e:
        return ""
    except dns.exception.DNSException as e:
        # return e.msg
        return ""
    except ModuleNotFoundError:
        return "module not available"

@functools.lru_cache()
def _ipinfo(ip):
    try:
      import requests
      r = requests.get(url='http://ipinfo.io/{}/json'.format(ip))
      return r.json()
    except simplejson.errors.JSONDecodeError as e:
        return None
    except ModuleNotFoundError:
        return None

@functools.lru_cache()
def ipinfo(ip,type="country"):
    if len(ip.split(","))>1:
      return ",".join([ipinfo(x,type) for x in ip.split(",")])
    try:
        return _ipinfo(ip)[type]
    except:
        return ""

@functools.lru_cache()
def mx_lookup(domain):
    domain = domain.lstrip("www.")
    try:
      mxs = dns_lookup(domain,'MX').split(",")
      mxt = [x.split(" ")[1] for x in mxs if len(x.split(" "))==2]
      return ",".join(mxt)
    except Exception as e:
      return str(e)

@functools.lru_cache()
def grab_banner(ip,port=25):
    if len(ip.split(","))>1:
      return ",".join([grab_banner(x,port) for x in ip.split(",")])
    try:
      import socket
      sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) #TCP
      sock.settimeout(2)
      sock.connect((ip,port))
      ret = sock.recv(1024)
      return str(ret.strip().decode())
    except:
      return ""




def sym_id(val):
    event_ids={
        "2" : "Scan Stopped",
        "3" : "Scan Started",
        "4" : "Definition File Sent To Server",
        "5" : "Virus Found",
        "6" : "Scan Omission",
        "7" : "Definition File Loaded",
        "10" : "Checksum",
        "11" : "Auto-Protect",
        "12" : "Configuration Changed",
        "13" : "Symantec AntiVirus Shutdown",
        "14" : "Symantec AntiVirus Startup",
        "16" : "Definition File Download",
        "17" : "Scan Action Auto-Changed",
        "18" : "Sent To Quarantine Server",
        "19" : "Delivered To Symantec Security Response",
        "20" : "Backup Restore Error",
        "21" : "Scan Aborted",
        "22" : "Load Error",
        "23" : "Symantec AntiVirus Auto-Protect Loaded",
        "24" : "Symantec AntiVirus Auto-Protect Unloaded",
        "26" : "Scan Delayed",
        "27" : "Scan Re-started",
        "34" : "Log Forwarding Error",
        "39" : "Definitions Rollback",
        "40" : "Definitions Unprotected",
        "41" : "Auto-Protect Error",
        "42" : "Configuration Error",
        "45" : "SymProtect Action",
        "46" : "Detection Start",
        "47" : "Detection Action",
        "48" : "Pending Remediation Action",
        "49" : "Failed Remediation Action",
        "50" : "Successful Remediation Action",
        "51" : "Detection Finish",
        "65" : "Scan Stopped",
        "66" : "Scan Started",
        "71" : "Threat Now Whitelisted",
        "72" : "Interesting Process Found Start",
        "73" : "SONAR engine load error",
        "74" : "SONAR definitions load error",
        "75" : "Interesting Process Found Finish",
        "76" : "SONAR operating system not supported",
        "77" : "SONAR Detected Threat Now Known",
        "78" : "SONAR engine is disabled",
        "79" : "SONAR engine is enabled",
        "80" : "Definition load failed",
        "81" : "Cache server error",
        "82" : "Reputation check timed out"}
    return event_ids[val]
